How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspxBy default, the ability to manage file and print shares is granted only to members of the Administrators, Power Users, and Server Operators groups. Because members of those groups have many other system-level privileges, it is not recommended to makeen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#10359749Mon, 15 Oct 2012 18:08:59 GMT91d46819-8472-40ad-a661-2c78acb4018c:10359749Frederic<p>How about windows 2008 R2 64bits ?</p>
<p>Can&#39;t find any version of TweakUI that works.</p>
<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=10359749" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#9801428Wed, 24 Jun 2009 15:51:49 GMT91d46819-8472-40ad-a661-2c78acb4018c:9801428Thomas<p>Hi Aaron</p>
<p>I've configured the three registry values SrvsvcConnection, SrvsvcShareFileInfo and SrvsvcSharePrintInfo, using the tweakUI tool. The idea is to add a local built-in group (print operators?) or a domain group. Adding those using the UI is easy enough, and the settings are verified as saved.</p>
<p>However, creating new printer objects, the configured group does not even appear on the new object. The system have of course been booted.</p>
<p>Currently we use a script to change permissions on new printer objects, but changing the default permissions would be a much better solution.</p>
<p>Thank you.</p>
<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9801428" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#9141603Tue, 25 Nov 2008 14:36:44 GMT91d46819-8472-40ad-a661-2c78acb4018c:9141603Haas<p>Aaron, Thanks for the reply. </p>
<p>For the time being is an interesting quote to take away. The task of adding drivers, ports and printers and sharing them is trivial and gets executed by helpdesk people or even key-users in a site.</p>
<p>Now we need to give them at least power user membership to enable them to do this task. This creates a risk.</p>
<p>Is it possible to figure out what individual rights I need to give a user to be able to give him the same possibilties?</p>
<p>This would mean usinf tools like process monitor en process explorer and the like.</p>
<p>Any quick pointers? Thanks, John</p>
<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9141603" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#9138817Mon, 24 Nov 2008 23:38:46 GMT91d46819-8472-40ad-a661-2c78acb4018c:9138817Haas<P>Hi Aaron,</P>
<P>I was very happy when I found your solution for this problem.</P>
<P>But it must be that I'm doing something wrong I implemented the three changes that you explain using tweakui, but I can still ot add any printers.</P>
<P>When I use the Add Printer Wizard (or Print Managemtn) the 'Local Printer attached to this computer' is grayed out. </P>
<P>When I add my user to the power users it works.</P>
<P>Can you help me out please?</P>
<P>Regards,</P>
<P>John</P>
<DIV class=ajmReply>
<P><EM>[Aaron Margosis]&nbsp; This blog post is about file and printer <STRONG>sharing</STRONG>, not about installing printers.&nbsp; Installing local printers remains an admin task for the time being.</EM></P></DIV><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9138817" width="1" height="1">What changes does the manage file shares do?http://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#8953153Tue, 16 Sep 2008 01:07:14 GMT91d46819-8472-40ad-a661-2c78acb4018c:8953153Aen<p>I do not want to install tweak UI on every server, instead i rather just make the changes that tweak ui would do, and manually set them on my servers. &nbsp;I have a script where i have users create shares with for new hires. &nbsp;they need rights to create shares on the servers across the US, but i dont want them to have rights to do anything else but create a share on those few servers. &nbsp;</p>
<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8953153" width="1" height="1">XP SP2 How to Install Local Printers without granting Power User or Administrator?http://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#8353855Thu, 03 Apr 2008 16:55:53 GMT91d46819-8472-40ad-a661-2c78acb4018c:8353855Jon88<p>Does anyone know of away to How to Install Local Printers as a restricted user without granting Power User or Administrator in XP SP2? Thanks in advance.</p>
<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8353855" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#4201305Fri, 03 Aug 2007 09:17:23 GMT91d46819-8472-40ad-a661-2c78acb4018c:4201305Shrutika<p>Hi,</p>
<p>My machine is windows XP home edition, SP6.</p>
<p>I cannot get option &quot;Manage file/print server connections” operation in the “Access Control” dropdown in the right pane.</p>
<p>I get 2 options namely &quot;connect to registry remotely&quot; and &quot;access performance counter&quot; on the tweakUI screen.</p>
<p>Could you help?</p>
<p>Thanks,</p>
<p>Shrutika</p>
<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=4201305" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#2262477Tue, 24 Apr 2007 20:46:13 GMT91d46819-8472-40ad-a661-2c78acb4018c:2262477Pat Stafford<P>When I try to install TweakUIPowerToySetup.exe, I get an error: "Entry Point Not Found - The procedure entry point GetDllDirectoryW could not be located in the dynamic link library KERNEL32.DLL"</P>
<P>Is this supposed to be installable on Win2K? &nbsp;I tried the earlier version of TweakUI, but it doesn't offer any of the screens for privileges described above.</P>
<DIV class=ajmReply>
<P>Pat:&nbsp; Each version of TweakUI is tightly coupled to the version of Windows for which it was made.&nbsp; The XP version will not be usable on Windows 2000; and unfortunately, the Windows 2000 version did not include the extra ACL editing capability that the XP version allowed.&nbsp; There may be ways to get through this if you don't mind some risky registry editing...</P>
<P>-- Aaron</P></DIV><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=2262477" width="1" height="1">Create shared folder using command line on xp (rundll32)http://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#1510114Tue, 23 Jan 2007 01:58:37 GMT91d46819-8472-40ad-a661-2c78acb4018c:1510114Jay<P>Hi,</P>
<P>Does anyone know a way to invoke a command to create and shared a folder in window XP? &nbsp;I am not sure if the rundll32 will do all the trick.</P>
<P>Thanks,</P>
<P>Jay</P>
<P>jaydiep@gmail.com</P>
<DIV class=ajmReply>
<P>Jay: </P>
<P>Did you try NET SHARE from a command prompt?</P>
<P>HTH</P>
<P>-- Aaron</P></DIV><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=1510114" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#784279Tue, 03 Oct 2006 09:20:18 GMT91d46819-8472-40ad-a661-2c78acb4018c:784279Reniel<P>Hi,</P>
<P>Is there a way to incorporate "RUNAS.EXE" in logon scripts to run a program as an administrator without user intervention such as the password?</P>
<P>I am using rundll32 in logon scripts to install printers on the remote machine. In order for the ordinary user to install printers, I used gpedit.msc to allow "Power Users" to "load and unload device drivers". However, I am having problems setting the printer settings (i.e. page setup, paper size, etc.).</P>
<P>I have saved the settings of the printer in a network drive using the command:</P>
<P>rundll32 printui.dll,PrintUIEntry /Ss /n &lt;name of printer&gt; /a &lt;file where to save the settings&gt;</P>
<P>and then, tried to restore the settings using the following:</P>
<P>rundll32 printui.dll,PrintUIEntry /Sr /n &lt;name of printer&gt; /a &lt;file where to save the settings&gt;</P>
<P>However, it is telling me that the "Operation is not permitted" if I logon as a Power User. But if I use an account with Administrator rights, there is no problem.</P>
<P>I hope to solve this using the "RUNAS.EXE" utility.</P>
<P>Thanks!</P>
<DIV class=ajmReply>
<P>RUNAS.EXE always requires the password to be entered at the console.</P>
<P>-- Aaron</P></DIV><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=784279" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#776257Fri, 29 Sep 2006 02:03:23 GMT91d46819-8472-40ad-a661-2c78acb4018c:776257Tom<P>Hi, <BR>Is there any other ways to allow normal users to manage shares in addition to TweakUI? </P>
<div class=ajmReply>
<P>TweakUI offers the only UI that I know of to edit the permissions.&nbsp; Without that you're manipulating binary values in the registry.&nbsp; Now, once you have established permissions on one system with TweakUI, you can export the relevant registry values (SrvsvcConnection, SrvsvcShareFileInfo, and SrvsvcSharePrintInfo) from that system and import them onto other systems.&nbsp; If you do this, make sure that the accounts being granted access are either domain accounts or built-in accounts like "INTERACTIVE" and not local accounts that won't exist on the other systems.</P>
<P>HTH</P>
<P>-- Aaron</P></div><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=776257" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#768098Sat, 23 Sep 2006 20:06:45 GMT91d46819-8472-40ad-a661-2c78acb4018c:768098Kaari<P>Hi, <BR>I've got the same problem as Taylor. I set "Manage file shares" to FULL CONTROL for the local group INTERACTIVE, but no account in the local group USER can read, change or create file shares. <BR>OS: Windows XP SP2 incl. all patches</P>
<div class=ajmReply>
<P>Review the instructions on this post carefully -- there are <EM>three</EM> different items you need to change the access control for.</P>
<P>-- Aaron</P></div><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=768098" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#760414Mon, 18 Sep 2006 11:01:55 GMT91d46819-8472-40ad-a661-2c78acb4018c:760414TaylorHi,Mr Margosis
<br>I've changed the setting by using tweakUI,but it didn't work even if I reboot my computer.what's happened? <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=760414" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#522868Thu, 02 Feb 2006 09:26:23 GMT91d46819-8472-40ad-a661-2c78acb4018c:522868Aaron MargosisSteve: do you have any remote access (e.g., Remote Desktop, Remote Assistance) to the affected computer? Can you use RunAs to run the Malicious Software Removal Tool? BTW, once the MSRT has been run once as admin (and the EULA accepted), if you've enabled Automatic Updates MSRT will run automatically every month.
<br/><a rel="nofollow" target="_new" href="http://support.microsoft.com/Default.aspx?kbid=890830">http://support.microsoft.com/Default.aspx?kbid=890830</a><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=522868" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#522577Thu, 02 Feb 2006 01:47:27 GMT91d46819-8472-40ad-a661-2c78acb4018c:522577SteveHow do you support the remote LUA user whose machine for example has been exploited via a unpatched vulnerability such as blaster/sasser? The normal course of action would be to download a scan/repair utility, and install then run the utility. In the remote LUA scenario the installation/execution is prohibited. That has left us looking at a local administrator account as our &quot;sky is falling&quot; backdoor to deal with firmwide consequences of such an attack. Is there an alternative to having this backdoor in place.
<br/>
<br/>Thx in advance,
<br/>Steve<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=522577" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#507695Wed, 28 Dec 2005 13:25:52 GMT91d46819-8472-40ad-a661-2c78acb4018c:507695DavoudHi,
<br>
<br>I would like to know why changes to the “Manage file and printer sharing” operation are not needed and not recommended? And is there anyway to invoke these security windows such as “Manage file/print server connections” security window and so forth, directly and without using Tweakui?
<br>
<br>Thanks
<br>
<br><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=507695" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#506945Fri, 23 Dec 2005 04:22:06 GMT91d46819-8472-40ad-a661-2c78acb4018c:506945Aaron MargosisRyan, TEST THIS FIRST, but you may be able to build the ACLs you want on a Windows XP computer, then export those values from the registry and import them to the Windows 2000 computer. The three values you care about are: SrvsvcConnection, SrvsvcShareFileInfo, and SrvsvcSharePrintInfo.<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=506945" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#506854Thu, 22 Dec 2005 23:03:49 GMT91d46819-8472-40ad-a661-2c78acb4018c:506854RyanI'm stuck in a Windows 2000 environment and can't use that version of tweakui. Is there another easy way of doing this?<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=506854" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#503437Wed, 14 Dec 2005 06:50:20 GMT91d46819-8472-40ad-a661-2c78acb4018c:503437Aaron MargosisJohn, take a look at this utility. It takes advantage of the fact that Windows 2000 introduced per-user registration data - HKCR is now a merged view of HKLM\Software\Classes and HKCU\Software\Classes (the latter is user-writable).
<br>
<br>RegSvrEx - An Enchanced COM Server Registration Utility
<br><a rel="nofollow" target="_new" href="http://www.codeproject.com/w2k/regsvrex.asp">http://www.codeproject.com/w2k/regsvrex.asp</a>
<br>
<br><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=503437" width="1" height="1">Function permissions without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#499010Thu, 01 Dec 2005 21:09:08 GMT91d46819-8472-40ad-a661-2c78acb4018c:499010JohnI'm a sys admin with a question about desktop permissions. We are in a Win2K (migrating to XP) mid-size environment. We have customers who occasionally request admin rights to run certain software titles, etc. Sometimes we can grant limited file or registry permissions to allow them to function without elevated rights, sometimes not.
<br>
<br>The current dilemma before me is a group of users who need to run regsvr32 to register new dll's on a fairly regular basis. Do you know of an explicit permission that would allow this, without elevating rights to power user or admin? Thanks <div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=499010" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#485613Thu, 27 Oct 2005 17:33:16 GMT91d46819-8472-40ad-a661-2c78acb4018c:485613Chris Nice work!
<br> I'm wonder if there is any way that I can alow my users to install local printer without belong to a Power User group? Thanks<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=485613" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#476887Tue, 04 Oct 2005 18:27:02 GMT91d46819-8472-40ad-a661-2c78acb4018c:476887Glenn WoodruffIt's nice that this can be done from TweakUI, but this doesn't help a lot in a managed or (in my case) XPe enviroment. Is there another way to do this?<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=476887" width="1" height="1">Palm...http://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#475241Thu, 29 Sep 2005 11:33:59 GMT91d46819-8472-40ad-a661-2c78acb4018c:475241Chamach
<br>Palm and admin :
<br><a rel="nofollow" target="_new" href="http://kb.palm.com/SRVS/CGI-BIN/WEBCGI.EXE/,/?St=38,E=0000000000160050878,K=7811,Sxi=17,Case=obj">http://kb.palm.com/SRVS/CGI-BIN/WEBCGI.EXE/,/?St=38,E=0000000000160050878,K=7811,Sxi=17,Case=obj</a>(1465)<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=475241" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#461670Wed, 07 Sep 2005 02:33:34 GMT91d46819-8472-40ad-a661-2c78acb4018c:461670kevinHi Aaron,
<br>
<br>Currently our users need admin rights when they install a Palm like device. The need is to sync up with Outlook etc.
<br>Do you have any suggestions for this?
<br>thanks.
<br><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=461670" width="1" height="1">re: How to allow users to manage file and print shares without granting other advanced privilegeshttp://blogs.msdn.com/b/aaron_margosis/archive/2005/04/18/409105.aspx#441532Fri, 22 Jul 2005 00:28:48 GMT91d46819-8472-40ad-a661-2c78acb4018c:441532Jon MorningstarDo you have any advice about and/or a way to allow standard users to add fonts?<div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=441532" width="1" height="1">